WordPress.org

Make WordPress Core


Ignore:
Timestamp:
01/31/2021 07:02:30 PM (3 months ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Introduce fine grained capabilities.

Previously, all permission checks for using app passwords were implemented using edit_user. This commit introduces a series of more fine grained meta capabilities that should be used instead: create_app_password, list_app_passwords, read_app_password, edit_app_password, delete_app_password and delete_app_passwords. These capabilities all map to edit_user by default, but may now be customized by developers.

Props johnbillion, TimothyBlynJacobs.
Fixes #51703.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php

    r50065 r50114  
    111111     */
    112112    public function get_items_permissions_check( $request ) {
    113         return $this->do_permissions_check( $request );
     113        $user = $this->get_user( $request );
     114
     115        if ( is_wp_error( $user ) ) {
     116            return $user;
     117        }
     118
     119        if ( ! current_user_can( 'list_app_passwords', $user->ID ) ) {
     120            return new WP_Error(
     121                'rest_cannot_list_application_passwords',
     122                __( 'Sorry, you are not allowed to list application passwords for this user.' ),
     123                array( 'status' => rest_authorization_required_code() )
     124            );
     125        }
     126
     127        return true;
    114128    }
    115129
     
    150164     */
    151165    public function get_item_permissions_check( $request ) {
    152         return $this->do_permissions_check( $request );
     166        $user = $this->get_user( $request );
     167
     168        if ( is_wp_error( $user ) ) {
     169            return $user;
     170        }
     171
     172        if ( ! current_user_can( 'read_app_password', $user->ID, $request['uuid'] ) ) {
     173            return new WP_Error(
     174                'rest_cannot_read_application_password',
     175                __( 'Sorry, you are not allowed to read this application password.' ),
     176                array( 'status' => rest_authorization_required_code() )
     177            );
     178        }
     179
     180        return true;
    153181    }
    154182
     
    180208     */
    181209    public function create_item_permissions_check( $request ) {
    182         return $this->do_permissions_check( $request );
     210        $user = $this->get_user( $request );
     211
     212        if ( is_wp_error( $user ) ) {
     213            return $user;
     214        }
     215
     216        if ( ! current_user_can( 'create_app_password', $user->ID ) ) {
     217            return new WP_Error(
     218                'rest_cannot_create_application_passwords',
     219                __( 'Sorry, you are not allowed to create application passwords for this user.' ),
     220                array( 'status' => rest_authorization_required_code() )
     221            );
     222        }
     223
     224        return true;
    183225    }
    184226
     
    249291     */
    250292    public function update_item_permissions_check( $request ) {
    251         return $this->do_permissions_check( $request );
     293        $user = $this->get_user( $request );
     294
     295        if ( is_wp_error( $user ) ) {
     296            return $user;
     297        }
     298
     299        if ( ! current_user_can( 'edit_app_password', $user->ID, $request['uuid'] ) ) {
     300            return new WP_Error(
     301                'rest_cannot_edit_application_password',
     302                __( 'Sorry, you are not allowed to edit this application password.' ),
     303                array( 'status' => rest_authorization_required_code() )
     304            );
     305        }
     306
     307        return true;
    252308    }
    253309
     
    309365     */
    310366    public function delete_items_permissions_check( $request ) {
    311         return $this->do_permissions_check( $request );
     367        $user = $this->get_user( $request );
     368
     369        if ( is_wp_error( $user ) ) {
     370            return $user;
     371        }
     372
     373        if ( ! current_user_can( 'delete_app_passwords', $user->ID ) ) {
     374            return new WP_Error(
     375                'rest_cannot_delete_application_passwords',
     376                __( 'Sorry, you are not allowed to delete application passwords for this user.' ),
     377                array( 'status' => rest_authorization_required_code() )
     378            );
     379        }
     380
     381        return true;
    312382    }
    313383
     
    350420     */
    351421    public function delete_item_permissions_check( $request ) {
    352         return $this->do_permissions_check( $request );
     422        $user = $this->get_user( $request );
     423
     424        if ( is_wp_error( $user ) ) {
     425            return $user;
     426        }
     427
     428        if ( ! current_user_can( 'delete_app_password', $user->ID, $request['uuid'] ) ) {
     429            return new WP_Error(
     430                'rest_cannot_delete_application_password',
     431                __( 'Sorry, you are not allowed to delete this application password.' ),
     432                array( 'status' => rest_authorization_required_code() )
     433            );
     434        }
     435
     436        return true;
    353437    }
    354438
     
    458542     *
    459543     * @since 5.6.0
     544     * @deprecated 5.7.0 Use `edit_user` directly or one of the specific meta capabilities introduced in 5.7.0.
    460545     *
    461546     * @param WP_REST_Request $request
     
    463548     */
    464549    protected function do_permissions_check( $request ) {
     550        _deprecated_function( __METHOD__, '5.7.0' );
     551
    465552        $user = $this->get_user( $request );
    466553
Note: See TracChangeset for help on using the changeset viewer.